Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Fraser Tweedale 
On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
> Hello,
> 
> DRAFT for FreeIPA 4.5.0 release notes is ready
> http://www.freeipa.org/page/Releases/4.5.0
> 
> Please update/let me know what is missing, what is extra.
> 
> 
> Martin^2
> 
I think we should add https://pagure.io/freeipa/issue/2614 to the
`Enhancements' section.  There is no design page for it but it was a
big effort and it gives the deployer complete control over the IPA
CA subject DN (previously this was very restricted).

Thanks,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/397
Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing

tiran commented:
"""
I've moved the code to cert.py and raise SkipPluginModule from there.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/397#issuecomment-286595688
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 87c7da85421aa145e7214547ee78edf297cb3b36 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal in obj.get('memberservice_service', [])
-]
-
-return rule

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

tiran commented:
"""
@martbab I've cleanup up some white space noise and squashed all commits.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-286595358
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/475
Author: tiran
 Title: #475: Add options to run only ipaclient unittests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/475/head:pr475
git checkout pr475
From 0f3454fd133f9ee09c247a3892088b860a47914c Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Feb 2017 08:39:54 +0100
Subject: [PATCH] Add options to run only ipaclient unittests

A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py 
util.py ..
test_ipaclient/test_csrgen.py .....
test_ipalib/test_aci.py ...
test_ipalib/test_backend.py 
test_ipalib/test_base.py ...
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...
test_ipalib/test_crud.py ...
test_ipalib/test_errors.py ...
test_ipalib/test_frontend.py 
test_ipalib/test_messages.py 
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .
test_ipalib/test_plugable.py 
test_ipalib/test_rpc.py ..
test_ipalib/test_text.py .
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py 
test_ipapython/test_dn.py ...
test_ipapython/test_ipautil.py ..
test_ipapython/test_ipavalidate.py ..
test_ipapython/test_kerberos.py ..
test_ipapython/test_keyring.py ..
test_ipapython/test_ssh.py ...
test_pkcs10/test_pkcs10.py .

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py   | 34 +-
 ipatests/pytest_plugins/integration.py |  8 +++--
 ipatests/setup.py  |  1 -
 ipatests/test_cmdline/__init__.py  |  6 
 ipatests/test_install/__init__.py  |  5 
 ipatests/test_integration/__init__.py  |  5 
 ipatests/test_ipalib/test_rpc.py   |  2 ++
 ipatests/test_ipaserver/__init__.py|  6 
 ipatests/test_ipaserver/test_install/__init__.py   |  0
 .../test_install/test_adtrustinstance.py   |  8 ++---
 ipatests/test_webui/__init__.py|  5 
 ipatests/test_xmlrpc/__init__.py   |  5 
 ipatests/util.py   | 17 +--
 pylint_plugins.py  | 16 +-
 14 files changed, 103 insertions(+), 15 deletions(-)
 create mode 100644 ipatests/test_ipaserver/test_install/__init__.py

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 511d7b7..61e889d 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -7,13 +7,21 @@
 import pprint
 import sys
 
+import pytest
+
 from ipalib import api
 from ipalib.cli import cli_plugins
+
+try:
+import ipaplatform  # pylint: disable=unused-import
+except ImportError:
+ipaplatform = None
 try:
 import ipaserver
 except ImportError:
 ipaserver = None
 
+HERE = os.path.dirname(os.path.abspath(__file__))
 
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
@@ -31,6 +39,7 @@
 'tier1: functional API tests',
 'cs_acceptance: Acceptance test suite for Dogtag Certificate Server',
 'ds_acceptance: Acceptance test suite for 389 Directory Server',
+'skip_ipaclient_unittest: Skip in ipaclient unittest mode',
 ]
 
 
@@ -46,6 +55,7 @@
 'install/share'
 ]
 
+
 INIVALUES = {
 'python_classes': ['test_', 'Test'],
 'python_files': ['test_*.py'],
@@ -75,13 +85,27 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--ipaclient-unittests',
+help='Run ipaclient unit tests only (no RPC and ipaserver)',
+action='store_true'
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
 context=u'cli', in_server=False, in_tree=True, fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-api.finalize()
+
+# XXX workaround until https://fedorahosted.org/freeipa/ticket/6408 has
+# been resolved.
+if ipaserver is not None:
+

[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

tiran commented:
"""
https://github.com/freeipa/freeipa/pull/502#issue-209980292

two thumbs up, one heart, no thumbs down
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/502#issuecomment-286589361
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#586][synchronized] Ignore ipapython/.DEFAULT_PLUGINS

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/586
Author: tiran
 Title: #586: Ignore ipapython/.DEFAULT_PLUGINS
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/586/head:pr586
git checkout pr586
From f0583b7ef241ee8f229951f3e0a6746936551851 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 14 Mar 2017 17:55:38 +0100
Subject: [PATCH] Ignore ipapython/.DEFAULT_PLUGINS

https://pagure.io/freeipa/issue/6597

Signed-off-by: Christian Heimes 
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 04553fd..7e78a93 100644
--- a/.gitignore
+++ b/.gitignore
@@ -106,6 +106,7 @@ freeipa2-dev-doc
 /client/ipa-rmkeytab
 
 /ipapython/version.py
+/ipapython/.DEFAULT_PLUGINS
 
 /ipaplatform/__init__.py
 /ipaplatform/constants.py
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#589][opened] ipaplatform/debian/paths: Add some missing values.

2017-03-14 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/589
Author: tjaalton
 Title: #589: ipaplatform/debian/paths: Add some missing values.
Action: opened

PR body:
"""
Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/589/head:pr589
git checkout pr589
From 39b7598be817972db2c386b34d2115f8ae34a752 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 23:48:44 +0200
Subject: [PATCH] ipaplatform/debian/paths: Add some missing values.

Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT.
---
 ipaplatform/debian/paths.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index e661a8d..331afa0 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -56,7 +56,7 @@ class DebianPathNamespace(BasePathNamespace):
 SYSTEMD_SYSTEM_HTTPD_D_DIR = "/etc/systemd/system/apache2.service.d/"
 SYSTEMD_SYSTEM_HTTPD_IPA_CONF = "/etc/systemd/system/apache2.service.d/ipa.conf"
 DNSSEC_TRUSTED_KEY = "/etc/bind/trusted-key.key"
-KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
+OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
 SBIN_SERVICE = "/usr/sbin/service"
 CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
 UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
@@ -67,6 +67,7 @@ class DebianPathNamespace(BasePathNamespace):
 LIB_SYSTEMD_SYSTEMD_DIR = "/lib/systemd/system/"
 DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-ca-renew-agent-submit"
 DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/lib/certmonger/dogtag-ipa-renew-agent-submit"
+CERTMONGER_DOGTAG_SUBMIT = "/usr/lib/certmonger/dogtag-submit"
 IPA_SERVER_GUARD = "/usr/lib/certmonger/ipa-server-guard"
 GENERATE_RNDC_KEY = "/bin/true"
 IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Karma Requests for tomcatjss-7.2.1-1

2017-03-14 Thread Matthew Harmsen 

Everyone,

Sorry, due to a dependency glitch, tomcatjss needed to be re-spun again 
(please ignore previous tomcatjss Karma emails):


*The following updated candidate builds of tomcatjss 7.2.1 were generated:*

 * *Fedora 25:*
 o *tomcatjss-7.2.1-1.fc25
   
   *
 * *Fedora 26:*
 o *tomcatjss-7.2.1-1.fc26
   
   *
 * *Fedora 27:*
 o *tomcatjss-7.2.1-1.fc27
   *

*Please provide Karma for the following builds:*

 * *Fedora 25:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-122cb7e152
   tomcatjss-7.2.1-1.fc25
   
   *
 * *Fedora 26:*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2017-2363353a6d
   tomcatjss-7.2.1-1.fc26
   *

-- Matt

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Rob Crittenden 
Standa Laznicka wrote:
> On 03/14/2017 04:21 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> On 03/14/2017 03:14 PM, Martin Basti wrote:
 On 14.03.2017 14:56, Luc de Louw wrote:
> My 3 cents...
>
> "Please note that FIPS 140-2 support may not work on some platforms"
>
> -> Does is work in Fedora? Should be worth mention it so people are
> more encouraged to test it in Fedora before its getting to RHEL 7.4
>
> Thanks,
>
> Luc
 We cannot guarantee that FIPS mode will work with fedora, any package
 update may break it.
>>> Fedora itself is not capable of running in FIPS mode so there's no point
>>> adding it there.
>> I can't believe this is correct. Did you try it and it failed? Did you
>> file bugs?
> Yes, yes and no. Please see the header at this page:
> https://fedoraproject.org/wiki/FedoraCryptoConsolidation

Um, ok? What do shared certs and centralized crypto policies have to do
with FIPS not working in Fedora?

> We tried to set up Fedora for FIPS in RHEV but the machine would not
> even start.

Fedora 25 works for me in libvirt.

crypto.fips_enabled is 1.

It is enforcing it too, md5sum fails because FIPS is enabled.

So if it isn't working for you then bugs are required.

rob

>>
>> The dracut-fips and dracut-fips-aesni packages are both available.
>>
>> # cat /etc/redhat-release
>> Fedora release 25 (Twenty Five)
>> # sysctl crypto.fips_enabled
>> crypto.fips_enabled = 0
>>
>> So the basic stuff is there and the kernel knows what FIPS is.
>>
>> Any NSS-based application can enable FIPS-mode independently of the
>> kernel via modutil or application-specific settings (e.g. NSSFIPS in
>> mod_nss).
>>
>> rob
> 
> 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional

2017-03-14 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

lslebodn commented:
"""
On (14/03/17 09:56), Christian Heimes wrote:
>The PR got three +1 / heart and not -1. I propose to get it merged for 4.5 
>today.
>
I cannot see 3-times +1 in this PR.
I can see just 2 reviewers in top right corner
* lslebodn requested changes
* tomaskrizek approved these changes

Is there any reason why upstream discussion is not accepted?
https://www.redhat.com/archives/freeipa-devel/2017-March/msg00371.html

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/502#issuecomment-286530703
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#587][comment] Python 3: Fix session storage

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/587
Title: #587: Python 3: Fix session storage

simo5 commented:
"""
Technically principal names could use any encoding ... but we make the 
assumption they are utf-8 in freeIPA, so this should be ok.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/587#issuecomment-286518991
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#587][+ack] Python 3: Fix session storage

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/587
Title: #587: Python 3: Fix session storage

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#588][opened] CONFIGURE: Properly detect libpopt on el7

2017-03-14 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/588
Author: HonzaCholasta
 Title: #588: CONFIGURE: Properly detect libpopt on el7
Action: opened

PR body:
"""
libpopt added pkg-config file in 1.16 but there are still distributions
which has older version of library (el6, el7). And new features from
libpopt are not used anywhere. Configure should try to detect as much as
possible and users should not use workarounds with explicitely enabled
variables as parameters e.g.
   ./configure POPT_LIBS="-lpopt "

This change originating from PR #494 is required to make building upstream IPA 
possible on RHEL/CentOS 7.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/588/head:pr588
git checkout pr588
From 7caede3c79d2053727c33754273ed6826dc26294 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Wed, 22 Feb 2017 09:39:20 +0100
Subject: [PATCH] CONFIGURE: Properly detect libpopt on el7

libpopt added pkg-config file in 1.16 but there are still distributions
which has older version of library (el6, el7). And new features from
libpopt are not used anywhere. Configure should try to detect as much as
possible and users should not use workarounds with explicitely enabled
variables as parameters e.g.
   ./configure POPT_LIBS="-lpopt "
---
 configure.ac | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 4a3ba15..28f6f13 100644
--- a/configure.ac
+++ b/configure.ac
@@ -155,7 +155,13 @@ AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER)
 dnl ---
 dnl - Check for POPT
 dnl ---
-PKG_CHECK_MODULES([POPT], [popt])
+POPT_LIBS=
+PKG_CHECK_MODULES([POPT], [popt], [],
+[AC_CHECK_HEADER([popt.h], [], [AC_MSG_ERROR([popt.h not found])])
+ AC_CHECK_LIB([popt], [poptGetContext], [POPT_LIBS="-lpopt"])
+ AC_SUBST(POPT_LIBS)
+]
+)
 
 dnl ---
 dnl - Check for SASL
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][closed] WebUI: Certificate login

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

MartinBasti commented:
"""
#585 was pushed
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/559#issuecomment-286507175
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][+ack] WebUI: Certificate login

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#585][closed] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
 Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#585][+pushed] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#585][comment] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

MartinBasti commented:
"""
master:

* f4cd61f3011877fc9cc2a809438059b07362b0aa Remove allow_constrained_delegation 
from gssproxy.conf
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/585#issuecomment-286506677
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][closed] WebUI: Add support for AD users short name resolution

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/577
Author: pvomacka
 Title: #577: WebUI: Add support for AD users short name resolution
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/577/head:pr577
git checkout pr577
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][comment] WebUI: Add support for AD users short name resolution

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/577
Title: #577: WebUI: Add support for AD users short name resolution

MartinBasti commented:
"""
master:

* 2c194d793cd588d595c5ff639fbf5dac93e50e23 WebUI: Add support for management of 
user short name resolution
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/577#issuecomment-286503256
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][+pushed] WebUI: Add support for AD users short name resolution

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/577
Title: #577: WebUI: Add support for AD users short name resolution

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][+ack] WebUI: Add support for AD users short name resolution

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/577
Title: #577: WebUI: Add support for AD users short name resolution

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][+pushed] Provide centralized management of user short name resolution

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

MartinBasti commented:
"""
master:

* 594c87daf873ceec0c0cf3464bcb1aadb9f2b92a Short name resolution: introduce the 
required schema
* 1b5f56d15455b6019dd532cb9635fa2c44cb0022 ipaconfig: add the ability to 
manipulate domain resolution order
* 544d66b7109300e570fb6849f0f9bab8020f3b66 idview: add domain_resolution_order 
attribute
* 4e5e3eebb223b7f2760e21f22e42775982104b0d Re-use trust domain retrieval code 
in certmap validators
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286500632
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][closed] Provide centralized management of user short name resolution

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/573
Author: martbab
 Title: #573: Provide centralized management of user short name resolution
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/573/head:pr573
git checkout pr573
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#584][comment] Improve the implementation of PKINIT certificate retrieval

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/584
Title: #584: Improve the implementation of PKINIT certificate retrieval

MartinBasti commented:
"""
Since I applied this PR, I cannot pass through failing client side installation:
```
Forwarding 'ping' to json server 
'https://vm-024.abc.idm.lab.eng.brq.redhat.com/ipa/json'
Cannot connect to the server due to Kerberos error: No valid Negotiate header 
in server response. Trying with delegate=True
trying https://vm-024.abc.idm.lab.eng.brq.redhat.com/ipa/json
Forwarding 'ping' to json server 
'https://vm-024.abc.idm.lab.eng.brq.redhat.com/ipa/json'
Second connect with delegate=True also failed: No valid Negotiate header in 
server response
Installation failed. As this is IPA server, changes will not be rolled back.
Cannot connect to the IPA server RPC interface: No valid Negotiate header in 
server response
The ipa-client-install command failed. See /var/log/ipaclient-install.log for 
more information
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Configuration of client side components failed!
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/584#issuecomment-286499793
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#587][comment] Python 3: Fix session storage

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/587
Title: #587: Python 3: Fix session storage

tiran commented:
"""
@simo5 is UTF-8 correct or are keys and values ASCII only?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/587#issuecomment-286495619
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][+ack] Provide centralized management of user short name resolution

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#587][opened] Python 3: Fix session storage

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/587
Author: tiran
 Title: #587: Python 3: Fix session storage
Action: opened

PR body:
"""
ctypes can only handle bytes, not text. Encode and decode all incoming
and outgoing text from UTF-8 to bytes.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/587/head:pr587
git checkout pr587
From cd4540662d5ca2e41239a26c08e8e4889714 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 14 Mar 2017 18:20:13 +0100
Subject: [PATCH] Python 3: Fix session storage

ctypes can only handle bytes, not text. Encode and decode all incoming
and outgoing text from UTF-8 to bytes.

Signed-off-by: Christian Heimes 
---
 ipapython/session_storage.py | 19 ++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py
index 7fe17fb..bcf0947 100644
--- a/ipapython/session_storage.py
+++ b/ipapython/session_storage.py
@@ -104,6 +104,13 @@ def store_data(princ_name, key, value):
 """
 Stores the session cookie in a hidden ccache entry.
 """
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('ascii')
+if not isinstance(value, bytes):
+value = value.encode('utf-8')
+
 context = krb5_context()
 principal = krb5_principal()
 ccache = krb5_ccache()
@@ -136,6 +143,11 @@ def get_data(princ_name, key):
 """
 Gets the session cookie in a hidden ccache entry.
 """
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('utf-8')
+
 context = krb5_context()
 principal = krb5_principal()
 ccache = krb5_ccache()
@@ -152,7 +164,7 @@ def get_data(princ_name, key):
 krb5_cc_get_config(context, ccache, principal, key,
ctypes.byref(data))
 
-return str(data.data)
+return data.data.decode('utf-8')
 
 finally:
 if principal:
@@ -169,6 +181,11 @@ def remove_data(princ_name, key):
 """
 Removes the hidden ccache entry with the session cookie.
 """
+if not isinstance(princ_name, bytes):
+princ_name = princ_name.encode('utf-8')
+if not isinstance(key, bytes):
+key = key.encode('utf-8')
+
 context = krb5_context()
 principal = krb5_principal()
 ccache = krb5_ccache()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/502
Author: tiran
 Title: #502: Make pylint and jsl optional
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/502/head:pr502
git checkout pr502
From e6d392d3a2f4dafc8891abcac01d6b262dc77fb7 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 22 Feb 2017 19:19:35 +0100
Subject: [PATCH] Make pylint and jsl optional

./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
---
 Makefile.am | 14 +++---
 configure.ac| 47 ---
 freeipa.spec.in | 11 ---
 3 files changed, 51 insertions(+), 21 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 5d41e4a..df4e05a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,10 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: $(top_builddir)/ipapython/version.py
+$(top_builddir)/ipapython/version.py:
+	(cd $(top_builddir)/ipapython && make version.py)
+
 .PHONY: acilint
 acilint: $(top_builddir)/ipapython/version.py
 	cd $(srcdir); ./makeaci --validate
@@ -162,10 +166,10 @@ polint:
 # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
 # *.in, *~. Finally print all python files, including scripts that do not
 # have python extension.
-.PHONY: pylint $(top_builddir)/ipapython/version.py
-$(top_builddir)/ipapython/version.py:
-	(cd $(top_builddir)/ipapython && make version.py)
 
+.PHONY: pylint
+
+if WITH_PYLINT
 pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	FILES=`find $(top_srcdir) \
 		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
@@ -183,9 +187,12 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		--rcfile=$(top_srcdir)/pylintrc \
 		--load-plugins pylint_plugins \
 		$${FILES}
+endif  # WITH_PYLINT
 
 .PHONY: jslint jslint-ui jslint-ui-test jslint-html \
 	$(top_builddir)/install/ui/src/libs/loader.js
+
+if WITH_JSLINT
 jslint: jslint-ui jslint-ui-test jslint-html
 
 $(top_builddir)/install/ui/src/libs/loader.js:
@@ -208,6 +215,7 @@ jslint-ui-test:
 jslint-html:
 	cd $(top_srcdir)/install/html; \
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
diff --git a/configure.ac b/configure.ac
index 4a3ba15..9a5a3ab 100644
--- a/configure.ac
+++ b/configure.ac
@@ -375,17 +375,25 @@ AC_SUBST([i18ntests])
 AM_CONDITIONAL([WITH_POLINT], [test "x${enable_i18ntests}" == "xyes"])
 
 AC_ARG_ENABLE([pylint],
-	AS_HELP_STRING([--disable-pylint],
-			   [skip Pylint in make lint target]),
+	AS_HELP_STRING([--enable-pylint],
+			   [Require pylint. Default is autodetection with
+			"python -m pylint".]),
 	[PYLINT=$enableval],
-	[PYLINT=yes]
+	[PYLINT=check]
 )
+
 if test x$PYLINT != xno; then
 AC_MSG_CHECKING([for Pylint])
-$PYTHON -m pylint --version > /dev/null
+$PYTHON -m pylint --version >/dev/null 2>&1
 if test "$?" != "0"; then
-AC_MSG_ERROR([cannot find pylint for $PYTHON])
+if test x$PYLINT = xcheck; then
+PYLINT=no
+AC_MSG_NOTICE([cannot find optional pylint for $PYTHON])
+else
+AC_MSG_ERROR([cannot find pylint for $PYTHON])
+fi
 else
+PYLINT=yes
 AC_MSG_RESULT([yes])
 fi
 fi
@@ -397,13 +405,27 @@ AC_ARG_WITH([jslint],
 AS_HELP_STRING([--with-jslint=[FILE]],
[path to JavaScript linter. Default is autodetection of
utility "jsl" ]),
-dnl --without-jslint will set JSLINT=no
-[JSLINT=$with_jslint],
-[AC_PATH_PROG([JSLINT], [jsl])]
+[JSLINT="$withval"],
+[JSLINT=check]
+)
+
+AS_CASE([$JSLINT],
+[yes], [AC_PATH_PROG([JSLINT], [jsl], [missing])
+if test $JSLINT = missing; then
+AC_MSG_FAILURE([jsl is missing])
+fi],
+[no], [],
+[check], [AC_PATH_PROG([JSLINT], [jsl], [no])],
+dnl user setting
+[if ! test -f "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT non-existing])
+AC_MSG_FAILURE([invalid value $JSLINT for jsl])
+ fi
+ if ! test -x "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT non-executable])
+AC_MSG_FAILURE([invalid value $JSLINT for

[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login

2017-03-14 Thread pvomacka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

pvomacka commented:
"""
Removed in https://github.com/freeipa/freeipa/pull/585 once it will be pushed I 
will close this one again. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/559#issuecomment-286490161
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#433][comment] csrgen: Allow some certificate fields to be specified by the user

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/433
Title: #433: csrgen: Allow some certificate fields to be specified by the user

tiran commented:
"""
@LiptonB please resolve conflicts
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/433#issuecomment-286489002
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#586][comment] Ignore ipapython/.DEFAULT_PLUGINS

2017-03-14 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/586
Title: #586: Ignore ipapython/.DEFAULT_PLUGINS

HonzaCholasta commented:
"""
LGTM. Please use https://pagure.io/freeipa/issue/6597 as ticket link in the 
commit message.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/586#issuecomment-286489040
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#585][+ack] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#585][synchronized] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
 Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
From 51aeaec986dffddd563b24352842a20337a26bce Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 14 Mar 2017 17:44:01 +0100
Subject: [PATCH] Remove allow_constrained_delegation from gssproxy.conf

The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

https://pagure.io/freeipa/issue/6225
---
 install/share/gssproxy.conf.template | 1 -
 1 file changed, 1 deletion(-)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index d703144..fbb158a 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,7 +4,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
-  allow_constrained_delegation = true
   cred_usage = both
   euid = $HTTPD_USER
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#586][opened] Ignore ipapython/.DEFAULT_PLUGINS

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/586
Author: tiran
 Title: #586: Ignore ipapython/.DEFAULT_PLUGINS
Action: opened

PR body:
"""
Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/586/head:pr586
git checkout pr586
From 1b4baa8a4539e9efff90fb370935179b05776dee Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 14 Mar 2017 17:55:38 +0100
Subject: [PATCH] Ignore ipapython/.DEFAULT_PLUGINS

Signed-off-by: Christian Heimes 
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 04553fd..7e78a93 100644
--- a/.gitignore
+++ b/.gitignore
@@ -106,6 +106,7 @@ freeipa2-dev-doc
 /client/ipa-rmkeytab
 
 /ipapython/version.py
+/ipapython/.DEFAULT_PLUGINS
 
 /ipaplatform/__init__.py
 /ipaplatform/constants.py
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#585][synchronized] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
 Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
From 70a70d1d76664602b907e9f93b29c5515b120931 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 14 Mar 2017 17:44:01 +0100
Subject: [PATCH] Remove allow_constrained_delegation from gssproxy.conf

This change reverts option which undid privilege separation letting
 apache be able to both impersonate users and then contact any service.

https://pagure.io/freeipa/issue/6225
---
 install/share/gssproxy.conf.template | 1 -
 1 file changed, 1 deletion(-)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index d703144..fbb158a 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,7 +4,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
-  allow_constrained_delegation = true
   cred_usage = both
   euid = $HTTPD_USER
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][comment] Make pylint and jsl optional

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/502
Title: #502: Make pylint and jsl optional

tiran commented:
"""
The PR got three +1 / heart and not -1. I propose to get it merged for 4.5 
today.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/502#issuecomment-286487177
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#585][comment] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

simo5 commented:
"""
Please change commit message to:

The Apache process *must* not allowed to use constrained delegation to contact 
services because it is already allowed to impersonate users to itself. Allowing 
it to perform constrained delegation would let it impersonate any user against 
the LDAP service without authentication.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/585#issuecomment-286486668
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/502
Author: tiran
 Title: #502: Make pylint and jsl optional
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/502/head:pr502
git checkout pr502
From fe062ffd3e9dd6f14e3a993d5d0247bf57a9d54f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 22 Feb 2017 19:19:35 +0100
Subject: [PATCH] Make pylint and jsl optional

./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
---
 Makefile.am | 18 --
 configure.ac| 47 ---
 freeipa.spec.in | 11 ---
 3 files changed, 52 insertions(+), 24 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 5d41e4a..844c29b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,10 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: $(top_builddir)/ipapython/version.py
+$(top_builddir)/ipapython/version.py:
+	(cd $(top_builddir)/ipapython && make version.py)
+
 .PHONY: acilint
 acilint: $(top_builddir)/ipapython/version.py
 	cd $(srcdir); ./makeaci --validate
@@ -162,10 +166,10 @@ polint:
 # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
 # *.in, *~. Finally print all python files, including scripts that do not
 # have python extension.
-.PHONY: pylint $(top_builddir)/ipapython/version.py
-$(top_builddir)/ipapython/version.py:
-	(cd $(top_builddir)/ipapython && make version.py)
 
+.PHONY: pylint
+
+if WITH_PYLINT
 pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	FILES=`find $(top_srcdir) \
 		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
@@ -180,12 +184,13 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
 	echo "Pylint is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
-		--rcfile=$(top_srcdir)/pylintrc \
-		--load-plugins pylint_plugins \
-		$${FILES}
+		--rcfile=$(top_srcdir)/pylintrc $${FILES}
+endif  # WITH_PYLINT
 
 .PHONY: jslint jslint-ui jslint-ui-test jslint-html \
 	$(top_builddir)/install/ui/src/libs/loader.js
+
+if WITH_JSLINT
 jslint: jslint-ui jslint-ui-test jslint-html
 
 $(top_builddir)/install/ui/src/libs/loader.js:
@@ -208,6 +213,7 @@ jslint-ui-test:
 jslint-html:
 	cd $(top_srcdir)/install/html; \
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
diff --git a/configure.ac b/configure.ac
index 4a3ba15..9a5a3ab 100644
--- a/configure.ac
+++ b/configure.ac
@@ -375,17 +375,25 @@ AC_SUBST([i18ntests])
 AM_CONDITIONAL([WITH_POLINT], [test "x${enable_i18ntests}" == "xyes"])
 
 AC_ARG_ENABLE([pylint],
-	AS_HELP_STRING([--disable-pylint],
-			   [skip Pylint in make lint target]),
+	AS_HELP_STRING([--enable-pylint],
+			   [Require pylint. Default is autodetection with
+			"python -m pylint".]),
 	[PYLINT=$enableval],
-	[PYLINT=yes]
+	[PYLINT=check]
 )
+
 if test x$PYLINT != xno; then
 AC_MSG_CHECKING([for Pylint])
-$PYTHON -m pylint --version > /dev/null
+$PYTHON -m pylint --version >/dev/null 2>&1
 if test "$?" != "0"; then
-AC_MSG_ERROR([cannot find pylint for $PYTHON])
+if test x$PYLINT = xcheck; then
+PYLINT=no
+AC_MSG_NOTICE([cannot find optional pylint for $PYTHON])
+else
+AC_MSG_ERROR([cannot find pylint for $PYTHON])
+fi
 else
+PYLINT=yes
 AC_MSG_RESULT([yes])
 fi
 fi
@@ -397,13 +405,27 @@ AC_ARG_WITH([jslint],
 AS_HELP_STRING([--with-jslint=[FILE]],
[path to JavaScript linter. Default is autodetection of
utility "jsl" ]),
-dnl --without-jslint will set JSLINT=no
-[JSLINT=$with_jslint],
-[AC_PATH_PROG([JSLINT], [jsl])]
+[JSLINT="$withval"],
+[JSLINT=check]
+)
+
+AS_CASE([$JSLINT],
+[yes], [AC_PATH_PROG([JSLINT], [jsl], [missing])
+if test $JSLINT = missing; then
+AC_MSG_FAILURE([jsl is missing])
+fi],
+[no], [],
+[check], [AC_PATH_PROG([JSLINT], [jsl], [no])],
+dnl user setting
+[if ! test -f "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT

[Freeipa-devel] [freeipa PR#502][synchronized] Make pylint and jsl optional

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/502
Author: tiran
 Title: #502: Make pylint and jsl optional
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/502/head:pr502
git checkout pr502
From 12e21b6c014fa3ebcc86fe9cf29163afa3f4153b Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 22 Feb 2017 19:19:35 +0100
Subject: [PATCH] Make pylint and jsl optional

./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.

Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.

It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.

https://fedorahosted.org/freeipa/ticket/6604

Signed-off-by: Christian Heimes 
---
 Makefile.am | 18 --
 configure.ac| 47 ---
 freeipa.spec.in | 11 ---
 3 files changed, 52 insertions(+), 24 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 5d41e4a..844c29b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,10 @@ JSLINT_TARGET = jslint
 endif WITH_JSLINT
 lint: acilint apilint $(POLINT_TARGET) $(PYLINT_TARGET) $(JSLINT_TARGET)
 
+.PHONY: $(top_builddir)/ipapython/version.py
+$(top_builddir)/ipapython/version.py:
+	(cd $(top_builddir)/ipapython && make version.py)
+
 .PHONY: acilint
 acilint: $(top_builddir)/ipapython/version.py
 	cd $(srcdir); ./makeaci --validate
@@ -162,10 +166,10 @@ polint:
 # folders rpmbuild, freeipa-* and dist. Skip (match, but don't print) .*,
 # *.in, *~. Finally print all python files, including scripts that do not
 # have python extension.
-.PHONY: pylint $(top_builddir)/ipapython/version.py
-$(top_builddir)/ipapython/version.py:
-	(cd $(top_builddir)/ipapython && make version.py)
 
+.PHONY: pylint
+
+if WITH_PYLINT
 pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 	FILES=`find $(top_srcdir) \
 		-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
@@ -180,12 +184,13 @@ pylint: $(top_builddir)/ipapython/version.py ipasetup.py
 		-type f -exec grep -qsm1 '^#!.*\bpython' '{}' \; -print`; \
 	echo "Pylint is running, please wait ..."; \
 	PYTHONPATH=$(top_srcdir) $(PYTHON) -m pylint \
-		--rcfile=$(top_srcdir)/pylintrc \
-		--load-plugins pylint_plugins \
-		$${FILES}
+		--rcfile=$(top_srcdir)/pylintrc $${FILES}
+endif  # WITH_PYLINT
 
 .PHONY: jslint jslint-ui jslint-ui-test jslint-html \
 	$(top_builddir)/install/ui/src/libs/loader.js
+
+if WITH_JSLINT
 jslint: jslint-ui jslint-ui-test jslint-html
 
 $(top_builddir)/install/ui/src/libs/loader.js:
@@ -208,6 +213,7 @@ jslint-ui-test:
 jslint-html:
 	cd $(top_srcdir)/install/html; \
 	jsl -nologo -nosummary -nofilelisting -conf jsl.conf
+endif  # WITH_JSLINT
 
 .PHONY: bdist_wheel wheel_bundle wheel_placeholder pypi_packages
 WHEELDISTDIR = $(top_builddir)/dist/wheels
diff --git a/configure.ac b/configure.ac
index 4a3ba15..9a5a3ab 100644
--- a/configure.ac
+++ b/configure.ac
@@ -375,17 +375,25 @@ AC_SUBST([i18ntests])
 AM_CONDITIONAL([WITH_POLINT], [test "x${enable_i18ntests}" == "xyes"])
 
 AC_ARG_ENABLE([pylint],
-	AS_HELP_STRING([--disable-pylint],
-			   [skip Pylint in make lint target]),
+	AS_HELP_STRING([--enable-pylint],
+			   [Require pylint. Default is autodetection with
+			"python -m pylint".]),
 	[PYLINT=$enableval],
-	[PYLINT=yes]
+	[PYLINT=check]
 )
+
 if test x$PYLINT != xno; then
 AC_MSG_CHECKING([for Pylint])
-$PYTHON -m pylint --version > /dev/null
+$PYTHON -m pylint --version >/dev/null 2>&1
 if test "$?" != "0"; then
-AC_MSG_ERROR([cannot find pylint for $PYTHON])
+if test x$PYLINT = xcheck; then
+PYLINT=no
+AC_MSG_NOTICE([cannot find optional pylint for $PYTHON])
+else
+AC_MSG_ERROR([cannot find pylint for $PYTHON])
+fi
 else
+PYLINT=yes
 AC_MSG_RESULT([yes])
 fi
 fi
@@ -397,13 +405,27 @@ AC_ARG_WITH([jslint],
 AS_HELP_STRING([--with-jslint=[FILE]],
[path to JavaScript linter. Default is autodetection of
utility "jsl" ]),
-dnl --without-jslint will set JSLINT=no
-[JSLINT=$with_jslint],
-[AC_PATH_PROG([JSLINT], [jsl])]
+[JSLINT="$withval"],
+[JSLINT=check]
+)
+
+AS_CASE([$JSLINT],
+[yes], [AC_PATH_PROG([JSLINT], [jsl], [missing])
+if test $JSLINT = missing; then
+AC_MSG_FAILURE([jsl is missing])
+fi],
+[no], [],
+[check], [AC_PATH_PROG([JSLINT], [jsl], [no])],
+dnl user setting
+[if ! test -f "$JSLINT"; then
+AC_MSG_RESULT([$JSLINT

[Freeipa-devel] [freeipa PR#585][opened] Remove allow_constrained_delegation from gssproxy.conf

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
 Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: opened

PR body:
"""
This change reverts option which breaks priviledge separation.

https://pagure.io/freeipa/issue/6225
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
From 90d85c73daa272f31af1ca1bab7b2703564597d1 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Tue, 14 Mar 2017 17:44:01 +0100
Subject: [PATCH] Remove allow_constrained_delegation from gssproxy.conf

This change reverts option which breaks priviledge separation.

https://pagure.io/freeipa/issue/6225
---
 install/share/gssproxy.conf.template | 1 -
 1 file changed, 1 deletion(-)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index d703144..fbb158a 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,7 +4,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
-  allow_constrained_delegation = true
   cred_usage = both
   euid = $HTTPD_USER
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][-ack] WebUI: Certificate login

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][reopened] WebUI: Certificate login

2017-03-14 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

simo5 commented:
"""
You need to wait to get th gssproxy fix I've been developing today and set the 
minimum gssproxy version to the one with the fix once we get to publish it

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/559#issuecomment-286478736
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login

2017-03-14 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

simo5 commented:
"""
NACK NACK NACK
Pleas revert the change to the gssproxy template, it undoes half the work done 
in privilege separation
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/559#issuecomment-286478501
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#538][closed] Run test_ipaclient test suite

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/538
Author: tiran
 Title: #538: Run test_ipaclient test suite
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/538/head:pr538
git checkout pr538
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#538][comment] Run test_ipaclient test suite

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/538
Title: #538: Run test_ipaclient test suite

MartinBasti commented:
"""
master:

* 08fc9d7a68220fc147177e6f757387823fea0f43 Run test_ipaclient test suite
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/538#issuecomment-286473191
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#538][+pushed] Run test_ipaclient test suite

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/538
Title: #538: Run test_ipaclient test suite

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

MartinBasti commented:
"""
master:

* f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 httpinstance: disable system trust 
module in /etc/httpd/alias
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-286472486
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#577][synchronized] WebUI: Add support for AD users short name resolution

2017-03-14 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/577
Author: pvomacka
 Title: #577: WebUI: Add support for AD users short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/577/head:pr577
git checkout pr577
From bbb573aea93351157d485f560160949402447b59 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 13 Mar 2017 17:30:57 +0100
Subject: [PATCH] WebUI: Add support for management of user short name
 resolution

https://pagure.io/freeipa/issue/6372
---
 install/ui/src/freeipa/idviews.js  | 4 
 install/ui/src/freeipa/serverconfig.js | 4 
 2 files changed, 8 insertions(+)

diff --git a/install/ui/src/freeipa/idviews.js b/install/ui/src/freeipa/idviews.js
index 25c043c..f383ab3 100644
--- a/install/ui/src/freeipa/idviews.js
+++ b/install/ui/src/freeipa/idviews.js
@@ -100,6 +100,10 @@ return {
 fields: [
 'cn',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:idview_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'textarea',
 name: 'description'
 }
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 2bc4e88..25f484a 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -56,6 +56,10 @@ return {
 'ipausersearchfields',
 'ipadefaultemaildomain',
 {
+name: 'ipadomainresolutionorder',
+tooltip: '@mc-opt:config_mod:ipadomainresolutionorder:doc'
+},
+{
 $type: 'entity_select',
 name: 'ipadefaultprimarygroup',
 other_entity: 'group',
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#581][closed] Backup KDC certificate pair

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/581
Author: stlaz
 Title: #581: Backup KDC certificate pair
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/581/head:pr581
git checkout pr581
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#581][comment] Backup KDC certificate pair

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/581
Title: #581: Backup KDC certificate pair

MartinBasti commented:
"""
master:

* ee6d031a6a0939c1f51a874b1f8f9b19ec727203 Backup KDC certificate pair
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/581#issuecomment-286471815
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#581][+pushed] Backup KDC certificate pair

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/581
Title: #581: Backup KDC certificate pair

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][comment] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/583
Title: #583: ipaplatform/debian/services: Fix is_running arguments.

MartinBasti commented:
"""
master:

* 1a47fcd3ee7fe2878c77de0729e422c40a457600 ipaplatform/debian/services: Fix 
is_running arguments.
* 71db8c264e38502e80f05e9cb234185049450b62 ipaplatform/debian/paths: Add 
IPA_HTTPD_KDCPROXY.
* c194f74b12a92e3beb01f36b5cbe20255d8247c5 ipaplatform/debian/paths: Rename 
IPA_KEYTAB to OLD_IPA_KEYTAB.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/583#issuecomment-286471518
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][+pushed] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/583
Title: #583: ipaplatform/debian/services: Fix is_running arguments.

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][closed] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/583
Author: tjaalton
 Title: #583: ipaplatform/debian/services: Fix is_running arguments.
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/583/head:pr583
git checkout pr583
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][+ack] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/583
Title: #583: ipaplatform/debian/services: Fix is_running arguments.

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#581][+ack] Backup KDC certificate pair

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/581
Title: #581: Backup KDC certificate pair

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#538][+ack] Run test_ipaclient test suite

2017-03-14 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/538
Title: #538: Run test_ipaclient test suite

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Petr Vobornik 

On 03/14/2017 04:24 PM, Martin Basti wrote:



On 14.03.2017 14:50, Jakub Hrozek wrote:

On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:

Hello,

DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0

Please update/let me know what is missing, what is extra.

Please update this paragraph:

AD User Short Names

Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.


With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210


I updated that section. Shouldn't we remove it completely from release
notes because it will not work until new SSSD is released?



I'd keep it there and add Jakub's comment. It will be useful when SSSD 
with the support is released.



--
Petr Vobornik


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

martbab commented:
"""
Ok thanks for explanation.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286464608
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Standa Laznicka 

On 03/14/2017 04:21 PM, Rob Crittenden wrote:

Standa Laznicka wrote:

On 03/14/2017 03:14 PM, Martin Basti wrote:

On 14.03.2017 14:56, Luc de Louw wrote:

My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4

Thanks,

Luc

We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.

Fedora itself is not capable of running in FIPS mode so there's no point
adding it there.

I can't believe this is correct. Did you try it and it failed? Did you
file bugs?

Yes, yes and no. Please see the header at this page:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation

We tried to set up Fedora for FIPS in RHEV but the machine would not 
even start.


The dracut-fips and dracut-fips-aesni packages are both available.

# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

So the basic stuff is there and the kernel knows what FIPS is.

Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).

rob



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

stlaz commented:
"""
I rebased your patchset on current master and put the uninstallation of 
`ipa_memcached` into a multipass block and all seems to work now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-286457931
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#584][opened] Improve the implementation of PKINIT certificate retrieval

2017-03-14 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/584
Author: martbab
 Title: #584: Improve the implementation of PKINIT certificate retrieval
Action: opened

PR body:
"""
The original PKINIT cert request code contained numerous defects, namely:

   * nearly absent handling of rejected requests and CA errors which resulted
 e.g. in an unusable WebUI after replica installation
 and
   * certificate request logic that was not consistent with the rest of the
 installers (DS, HTTP for example): what caused hard errors in their case
 went unnoticed in PKINIT setup

This PR consolidates this code so that errors arising from CA rejecting the
PKINIT cert request cause the installers to abort immediately. The PKINIT step
was also split into a separate method executed before LDAP updates. The name
was chosen to be `enable_ssl` in order to make the planned refactoring of
certificate requesting code (https://pagure.io/freeipa/issue/6429) easier: the
method name is not accurate but at least it is consistent with e.g. LDAP
installer co the common code can be grepper with greater ease.

https://pagure.io/freeipa/issue/6739
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/584/head:pr584
git checkout pr584
From 596e3e22a4436d75973c44e48378b1b509c30867 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 14 Mar 2017 09:56:07 +0100
Subject: [PATCH 1/4] Make PKINIT certificate request logic consistent with
 other installers

The certmonger request handling code during pkinit setup actually never
correctly handled situations when certificate request was rejected by
the CA or CA was unreachable. This led to subtle errors caused by broken
anonymous pkinit (e.g. failing WebUI logins) which are hard to debug.

The code should behave as other service installers, e. g. use
`request_and_wait_for_cert` method which raises hard error when request
times out or is not granted by CA. On master contact Dogtag CA endpoint
directly as is done in DS installation.

https://pagure.io/freeipa/issue/6739
---
 ipaserver/install/krbinstance.py | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 08d39e2..c74fe40 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -357,10 +357,15 @@ def setup_pkinit(self):
 subject = str(DN(('cn', self.fqdn), self.subject_base))
 krbtgt = "krbtgt/" + self.realm + "@" + self.realm
 certpath = (paths.KDC_CERT, paths.KDC_KEY)
+
 try:
-reqid = certmonger.request_cert(certpath, subject, krbtgt,
-dns=self.fqdn, storage='FILE',
-profile='KDCs_PKINIT_Certs')
+certmonger.request_and_wait_for_cert(
+certpath,
+subject,
+krbtgt,
+dns=self.fqdn,
+storage='FILE',
+profile='KDCs_PKINIT_Certs')
 except dbus.DBusException as e:
 # if the certificate is already tracked, ignore the error
 name = e.get_dbus_name()
@@ -368,11 +373,6 @@ def setup_pkinit(self):
 root_logger.error("Failed to initiate the request: %s", e)
 return
 
-try:
-certmonger.wait_for_request(reqid)
-except RuntimeError as e:
-root_logger.error("Failed to wait for request: %s", e)
-
 # Finally copy the cacert in the krb directory so we don't
 # have any selinux issues with the file context
 shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)

From 73f8676e8b49e8f76883c57fd1e6618e00cab94c Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Tue, 14 Mar 2017 13:16:07 +0100
Subject: [PATCH 2/4] Request PKINIT cert directly from Dogtag API on first
 master

On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.

https://pagure.io/freeipa/issue/6739
---
 ipaserver/install/krbinstance.py | 16 
 1 file changed, 16 insertions(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index c74fe40..5f2a4b1 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -68,6 +68,7 @@ def __init__(self, fstore=None):
 self.kdc_password = None
 self.sub_dict = None
 self.pkcs12_info = None
+self.master_fqdn = None
 
 suffix = ipautil.dn_attribute_property('_suffix')
 subject_base = ipautil.dn_attribute_property('_subject_base')
@@ -359,6 +360,18 @@ def setup_pkinit(self):
 certpath = (paths.KDC_CERT, paths.KDC_KEY)

[Freeipa-devel] [freeipa PR#531][+ack] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#538][synchronized] Run test_ipaclient test suite

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/538
Author: tiran
 Title: #538: Run test_ipaclient test suite
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/538/head:pr538
git checkout pr538
From 212ed186e60b1aa757c38b2f18780137d5e41dbf Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 3 Mar 2017 12:57:21 +0100
Subject: [PATCH] Run test_ipaclient test suite

Signed-off-by: Christian Heimes 
---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index 04b766b..1a8f1b3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -21,6 +21,7 @@ env:
 - TASK_TO_RUN="run-tests"
   TESTS_TO_RUN="test_cmdline
 test_install
+test_ipaclient
 test_ipalib
 test_ipapython
 test_ipaserver
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][synchronized] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/583
Author: tjaalton
 Title: #583: ipaplatform/debian/services: Fix is_running arguments.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/583/head:pr583
git checkout pr583
From fb4ea5c5411de2bddbdfa9a1a8304dc641dd1924 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:32:22 +0200
Subject: [PATCH 1/3] ipaplatform/debian/services: Fix is_running arguments.

---
 ipaplatform/debian/services.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 85fba56..5eef5ff 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -72,7 +72,7 @@ def restart(self, instance_name='', capture_output=True, wait=True):
 if wait and self.is_running(instance_name):
 self.__wait_for_open_ports(instance_name)
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 ret = True
 try:
 result = ipautil.run([paths.SBIN_SERVICE,

From ce487555d0b0dcf59b75a0b828306bee2e065447 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:43:22 +0200
Subject: [PATCH 2/3] ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.

---
 ipaplatform/debian/paths.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index ad0e13c..1f1b9a7 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -71,6 +71,7 @@ class DebianPathNamespace(BasePathNamespace):
 GENERATE_RNDC_KEY = "/bin/true"
 IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
 IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
+IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
 IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
 HTTPD = "/usr/sbin/apache2ctl"
 REMOVE_DS_PL = "/usr/sbin/remove-ds"

From a0e1b818239720f0d523a2a87065cc8e4c26bb21 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 17:24:56 +0200
Subject: [PATCH 3/3] ipaplatform/debian/paths: Rename IPA_KEYTAB to
 OLD_IPA_KEYTAB.

---
 ipaplatform/debian/paths.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 1f1b9a7..e661a8d 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -26,7 +26,7 @@ class DebianPathNamespace(BasePathNamespace):
 HTTPD_IPA_REWRITE_CONF = "/etc/apache2/conf-available/ipa-rewrite.conf"
 HTTPD_IPA_CONF = "/etc/apache2/conf-enabled/ipa.conf"
 HTTPD_NSS_CONF = "/etc/apache2/mods-available/nss.conf"
-IPA_KEYTAB = "/etc/apache2/ipa.keytab"
+OLD_IPA_KEYTAB = "/etc/apache2/ipa.keytab"
 HTTPD_PASSWORD_CONF = "/etc/apache2/password.conf"
 NAMED_CONF = "/etc/bind/named.conf"
 NAMED_VAR_DIR = "/var/cache/bind"
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 


On 14.03.2017 14:50, Jakub Hrozek wrote:
> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
>> Hello,
>>
>> DRAFT for FreeIPA 4.5.0 release notes is ready
>> http://www.freeipa.org/page/Releases/4.5.0
>>
>> Please update/let me know what is missing, what is extra.
> Please update this paragraph:
> 
> AD User Short Names
>
> Support for AD users short names has been added. Short
> names can be enabled from CLI by setting ipa config-mod
> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
> or from WebUI under Configuration tab. No manual configuration on SSSD
> side is required.
> 
>
> With a note that this feature is not supported by SSSD yet and the work
> is tracked with https://pagure.io/SSSD/sssd/issue/3210
>
I updated that section. Shouldn't we remove it completely from release
notes because it will not work until new SSSD is released?



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

abbra commented:
"""
Yes, it is expected too. Remember that 'Default Trust View' is a view that 
applies globally. You have already global setting to apply.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286456329
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Rob Crittenden 
Standa Laznicka wrote:
> On 03/14/2017 03:14 PM, Martin Basti wrote:
>> On 14.03.2017 14:56, Luc de Louw wrote:
>>> My 3 cents...
>>>
>>> "Please note that FIPS 140-2 support may not work on some platforms"
>>>
>>> -> Does is work in Fedora? Should be worth mention it so people are
>>> more encouraged to test it in Fedora before its getting to RHEL 7.4
>>>
>>> Thanks,
>>>
>>> Luc
>> We cannot guarantee that FIPS mode will work with fedora, any package
>> update may break it.
> Fedora itself is not capable of running in FIPS mode so there's no point
> adding it there.

I can't believe this is correct. Did you try it and it failed? Did you
file bugs?

The dracut-fips and dracut-fips-aesni packages are both available.

# cat /etc/redhat-release
Fedora release 25 (Twenty Five)
# sysctl crypto.fips_enabled
crypto.fips_enabled = 0

So the basic stuff is there and the kernel knows what FIPS is.

Any NSS-based application can enable FIPS-mode independently of the
kernel via modutil or application-specific settings (e.g. NSSFIPS in
mod_nss).

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/573
Title: #573: Provide centralized management of user short name resolution

martbab commented:
"""
PR rebased, I have fixed bugs in ID view objectclass handling and re-used the 
trusted domain retrieval code in certmap plugin. This is a separate commit so 
it can be removed if necessary.

I have noticed that with current PR we can not add the domain resolution order 
to Default Trust View, as it is protected from both modification and removal. 
@abbra is this expected also in this case? 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/573#issuecomment-286454496
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/573
Author: martbab
 Title: #573: Provide centralized management of user short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/573/head:pr573
git checkout pr573
From 5e9291aaf7dfd92c5983f0bcd80976b1f597ac58 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 14:24:21 +0100
Subject: [PATCH 1/4] Short name resolution: introduce the required schema

Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372
---
 install/share/60basev3.ldif | 2 ++
 install/updates/50-ipaconfig.update | 1 +
 2 files changed, 3 insertions(+)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 059174b..efc6c8a 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -57,6 +57,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#1
 attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributeTypes: (2.16.840.1.113730.3.8.11.77 NAME 'ipaDomainResolutionOrder' DESC 'List of domains used to resolve a short name' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.5')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
 # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
@@ -84,5 +85,6 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap
 objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.39 NAME 'ipaNameResolutionData' DESC 'Data used to resolve short names to fully-qualified form' SUP top AUXILIARY MAY ( ipaDomainResolutionOrder ) X-ORIGIN 'IPA v4.5')
 objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' )
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 89a1726..23d2919 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -4,3 +4,4 @@ add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
 add:objectClass: ipaUserAuthTypeClass
+add:objectClass: ipaNameResolutionData

From f1affc6f2ca6f892e7ea8b49a070fb398daa88f2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 18:14:52 +0100
Subject: [PATCH 2/4] ipaconfig: add the ability to manipulate domain
 resolution order

optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372
---
 ACI.txt |   2 +-
 API.txt |   3 +-
 VERSION.m4  |   4 +-
 ipaserver/plugins/config.py | 115 +++-
 4 files changed, 118 insertions(+), 6 deletions(-)

diff

[Freeipa-devel] [freeipa PR#573][synchronized] Provide centralized management of user short name resolution

2017-03-14 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/573
Author: martbab
 Title: #573: Provide centralized management of user short name resolution
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/573/head:pr573
git checkout pr573
From 5e9291aaf7dfd92c5983f0bcd80976b1f597ac58 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 14:24:21 +0100
Subject: [PATCH 1/4] Short name resolution: introduce the required schema

Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372
---
 install/share/60basev3.ldif | 2 ++
 install/updates/50-ipaconfig.update | 1 +
 2 files changed, 3 insertions(+)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 059174b..efc6c8a 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -57,6 +57,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.65 NAME 'ipaWrappingMech' DESC 'PKCS#1
 attributeTypes: (2.16.840.1.113730.3.8.11.70 NAME 'ipaPermTargetTo' DESC 'Destination location to move an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: (2.16.840.1.113730.3.8.11.71 NAME 'ipaPermTargetFrom' DESC 'Source location from where moving an entry IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v4.0' )
 attributeTypes: ( 2.16.840.1.113730.3.8.11.75 NAME 'ipaNTAdditionalSuffixes' DESC 'Suffix for the user principal name associated with the domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
+attributeTypes: (2.16.840.1.113730.3.8.11.77 NAME 'ipaDomainResolutionOrder' DESC 'List of domains used to resolve a short name' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'IPA v4.5')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.1 NAME 'ipaVaultType' DESC 'IPA vault type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2')
 attributeTypes: (2.16.840.1.113730.3.8.18.2.2 NAME 'ipaVaultSalt' DESC 'IPA vault salt' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'IPA v4.2' )
 # FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1267782
@@ -84,5 +85,6 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap
 objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' )
 objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' )
+objectClasses: (2.16.840.1.113730.3.8.12.39 NAME 'ipaNameResolutionData' DESC 'Data used to resolve short names to fully-qualified form' SUP top AUXILIARY MAY ( ipaDomainResolutionOrder ) X-ORIGIN 'IPA v4.5')
 objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' )
 objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' )
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 89a1726..23d2919 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -4,3 +4,4 @@ add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
 add:objectClass: ipaUserAuthTypeClass
+add:objectClass: ipaNameResolutionData

From f1affc6f2ca6f892e7ea8b49a070fb398daa88f2 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Thu, 9 Mar 2017 18:14:52 +0100
Subject: [PATCH 2/4] ipaconfig: add the ability to manipulate domain
 resolution order

optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372
---
 ACI.txt |   2 +-
 API.txt |   3 +-
 VERSION.m4  |   4 +-
 ipaserver/plugins/config.py | 115 +++-
 4 files changed, 118 insertions(+), 6 deletions(-)

diff

[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/542
Title: #542: Implementation independent interface for CSR generation

tiran commented:
"""
@LiptonB needs rebase
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/542#issuecomment-286452115
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Standa Laznicka 

On 03/14/2017 03:14 PM, Martin Basti wrote:

On 14.03.2017 14:56, Luc de Louw wrote:

My 3 cents...

"Please note that FIPS 140-2 support may not work on some platforms"

-> Does is work in Fedora? Should be worth mention it so people are
more encouraged to test it in Fedora before its getting to RHEL 7.4

Thanks,

Luc

We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.
Fedora itself is not capable of running in FIPS mode so there's no point 
adding it there.



On 03/14/2017 02:50 PM, Jakub Hrozek wrote:

On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:

Hello,

DRAFT for FreeIPA 4.5.0 release notes is ready
http://www.freeipa.org/page/Releases/4.5.0

Please update/let me know what is missing, what is extra.

Please update this paragraph:

AD User Short Names

Support for AD users short names has been added. Short
names can be enabled from CLI by setting ipa config-mod
--domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
or from WebUI under Configuration tab. No manual configuration on SSSD
side is required.


With a note that this feature is not supported by SSSD yet and the work
is tracked with https://pagure.io/SSSD/sssd/issue/3210



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

abbra commented:
"""
They were in DL0 in `ipa-server-install` for very long time and never worked. 
We left them there to make sure we can get them back to work sometime later. We 
did but in new design `ipa-replica-prepare` does not need to use these options, 
unlike `ipa-server-install`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286449785
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
sigh, template markers aren't picked up automatically. I fixed 
```init/systemd/Makefile.am```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-286448906
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][synchronized] [WIP] Use Custodia 0.3 features

2017-03-14 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/517
Author: tiran
 Title: #517: [WIP] Use Custodia 0.3 features
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/517/head:pr517
git checkout pr517
From dda3378a35020232b95e01e46c18e9850d48e0b6 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 28 Feb 2017 12:07:19 +0100
Subject: [PATCH] Use Custodia 0.3 features

* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

https://pagure.io/freeipa/issue/5825

Signed-off-by: Christian Heimes 
---
 freeipa.spec.in  | 13 -
 init/systemd/Makefile.am |  1 +
 init/systemd/ipa-custodia.service.in |  5 ++---
 install/tools/Makefile.am|  1 +
 install/tools/ipa-custodia   |  6 ++
 ipapython/setup.py   |  1 -
 ipaserver/secrets/service.py | 30 ++
 ipaserver/setup.py   |  1 +
 ipasetup.py.in   |  1 +
 9 files changed, 50 insertions(+), 9 deletions(-)
 create mode 100755 install/tools/ipa-custodia
 create mode 100644 ipaserver/secrets/service.py

diff --git a/freeipa.spec.in b/freeipa.spec.in
index edffa6b..4fe5bfe 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -163,7 +163,8 @@ BuildRequires:  pki-base-python2
 BuildRequires:  python-pytest-multihost
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-jwcrypto
-BuildRequires:  python-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python-custodia >= 0.3
 BuildRequires:  dbus-python
 BuildRequires:  python-dateutil
 BuildRequires:  python-enum34
@@ -199,7 +200,8 @@ BuildRequires:  pki-base-python3
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-jwcrypto
-BuildRequires:  python3-custodia
+# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
+BuildRequires:  python3-custodia >= 0.3
 BuildRequires:  python3-dbus
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-enum34
@@ -318,6 +320,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaclient = %{version}-%{release}
+Requires: python-custodia >= 0.3
 Requires: python-ldap >= 2.4.15
 Requires: python-lxml
 Requires: python-gssapi >= 1.2.0
@@ -348,6 +351,7 @@ BuildArch: noarch
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-custodia >= 0.3
 Requires: python3-pyldap >= 2.4.15
 Requires: python3-lxml
 Requires: python3-gssapi >= 1.2.0
@@ -377,7 +381,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
-Requires: custodia
+Requires: custodia >= 0.3
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -624,7 +628,6 @@ Requires: python-jwcrypto
 Requires: python-cffi
 Requires: python-ldap >= 2.4.15
 Requires: python-requests
-Requires: python-custodia
 Requires: python-dns >= 1.15
 Requires: python-enum34
 Requires: python-netifaces >= 0.10.4
@@ -673,7 +676,6 @@ Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
 Requires: python3-pyldap >= 2.4.15
-Requires: python3-custodia
 Requires: python3-requests
 Requires: python3-dns >= 1.15
 Requires: python3-netifaces >= 0.10.4
@@ -1126,6 +1128,7 @@ fi
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
diff --git a/init/systemd/Makefile.am b/init/systemd/Makefile.am
index 325e857..945f6ac 100644
--- a/init/systemd/Makefile.am
+++ b/init/systemd/Makefile.am
@@ -18,5 +18,6 @@ CLEANFILES = $(systemdsystemunit_DATA)
 		-e 's|@IPA_SYSCONF_DIR[@]|$(IPA_SYSCONF_DIR)|g' \
 		-e 's|@localstatedir[@]|$(localstatedir)|g' \
 		-e 's|@sbindir[@]|$(sbindir)|g' \
+		-e 's|@libexecdir[@]|$(libexecdir)|g' \
 		-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
 		'$(srcdir)/$@.in' >$@
diff --git a/init/systemd/ipa-custodia.service.in b/init/systemd/ipa-custodia.service.in
index 3f9b128..0247bd8 100644
--- a/init/systemd/ipa-custodia.service.in
+++ b/init/systemd/ipa-custodia.service.in
@@ -2,9 +2,8 @@
 Description=IPA Custodia Service
 
 [Service]
-Type=simple
-
-ExecStart=@sbindir@/custodia @IPA_SYSCONF_DIR@/custodia/custodia.conf
+Type=notify

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

HonzaCholasta commented:
"""
The options were available since forever, so I guess you should just hide them 
instead of removing them.

The same options are still available in domain level 0 `ipa-server-install` - 
is this intentional?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286448587
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching

2017-03-14 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

tiran commented:
"""
@simo5 please resolve the merge conflict
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/543#issuecomment-286448385
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][-ack] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

abbra commented:
"""
LGTM.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286447734
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][+ack] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

stlaz commented:
"""
It seems to work fine for "mod_nss" reinstalls but `ipa-server-upgrade` is 
currently failing so I can't confirm that's ok.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-286446500
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#531][comment] httpinstance: disable system trust module in /etc/httpd/alias

2017-03-14 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/531
Title: #531: httpinstance: disable system trust module in /etc/httpd/alias

stlaz commented:
"""
It seems to work fine for "mod_nss" reinstalls but `ipa-server-upgrade` is 
currently failing so I can't confirm that's ok.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/531#issuecomment-286446500
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/582
Title: #582: Remove pkinit from ipa-replica-prepare

MartinBasti commented:
"""
Works for me. @abbra @simo5 do you have any objections?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/582#issuecomment-286444597
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][synchronized] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/583
Author: tjaalton
 Title: #583: ipaplatform/debian/services: Fix is_running arguments.
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/583/head:pr583
git checkout pr583
From fb4ea5c5411de2bddbdfa9a1a8304dc641dd1924 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:32:22 +0200
Subject: [PATCH 1/2] ipaplatform/debian/services: Fix is_running arguments.

---
 ipaplatform/debian/services.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 85fba56..5eef5ff 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -72,7 +72,7 @@ def restart(self, instance_name='', capture_output=True, wait=True):
 if wait and self.is_running(instance_name):
 self.__wait_for_open_ports(instance_name)
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 ret = True
 try:
 result = ipautil.run([paths.SBIN_SERVICE,

From ce487555d0b0dcf59b75a0b828306bee2e065447 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:43:22 +0200
Subject: [PATCH 2/2] ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.

---
 ipaplatform/debian/paths.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index ad0e13c..1f1b9a7 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -71,6 +71,7 @@ class DebianPathNamespace(BasePathNamespace):
 GENERATE_RNDC_KEY = "/bin/true"
 IPA_DNSKEYSYNCD_REPLICA = "/usr/lib/ipa/ipa-dnskeysync-replica"
 IPA_DNSKEYSYNCD = "/usr/lib/ipa/ipa-dnskeysyncd"
+IPA_HTTPD_KDCPROXY = "/usr/lib/ipa/ipa-httpd-kdcproxy"
 IPA_ODS_EXPORTER = "/usr/lib/ipa/ipa-ods-exporter"
 HTTPD = "/usr/sbin/apache2ctl"
 REMOVE_DS_PL = "/usr/sbin/remove-ds"
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#583][opened] ipaplatform/debian/services: Fix is_running arguments.

2017-03-14 Thread tjaalton 
   URL: https://github.com/freeipa/freeipa/pull/583
Author: tjaalton
 Title: #583: ipaplatform/debian/services: Fix is_running arguments.
Action: opened

PR body:
"""
Brown paper bag moment, discovered when trying to install 4.4.x.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/583/head:pr583
git checkout pr583
From fb4ea5c5411de2bddbdfa9a1a8304dc641dd1924 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Tue, 14 Mar 2017 16:32:22 +0200
Subject: [PATCH] ipaplatform/debian/services: Fix is_running arguments.

---
 ipaplatform/debian/services.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaplatform/debian/services.py b/ipaplatform/debian/services.py
index 85fba56..5eef5ff 100644
--- a/ipaplatform/debian/services.py
+++ b/ipaplatform/debian/services.py
@@ -72,7 +72,7 @@ def restart(self, instance_name='', capture_output=True, wait=True):
 if wait and self.is_running(instance_name):
 self.__wait_for_open_ports(instance_name)
 
-def is_running(self, instance_name=""):
+def is_running(self, instance_name="", wait=True):
 ret = True
 try:
 result = ipautil.run([paths.SBIN_SERVICE,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#569][+pushed] Remove copy-schema-to-ca.py from master branch

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/569
Title: #569: Remove copy-schema-to-ca.py from master branch

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#569][comment] Remove copy-schema-to-ca.py from master branch

2017-03-14 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/569
Title: #569: Remove copy-schema-to-ca.py from master branch

MartinBasti commented:
"""
master:

* f4c7f1dd8a9ce530a8291219a904686ee47e59c7 Remove copy-schema-to-ca.py from 
master branch
* ca5b53adccdd581bc39233378c422ca448e6edd2 Add copy-schema-to-ca for RHEL6 to 
contrib/
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/569#issuecomment-286434510
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#569][closed] Remove copy-schema-to-ca.py from master branch

2017-03-14 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/569
Author: MartinBasti
 Title: #569: Remove copy-schema-to-ca.py from master branch
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/569/head:pr569
git checkout pr569
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 


On 14.03.2017 15:06, Alexander Bokovoy wrote:
> On ti, 14 maalis 2017, Luc de Louw wrote:
>> My 3 cents...
>>
>> "Please note that FIPS 140-2 support may not work on some platforms"
>>
>> -> Does is work in Fedora? Should be worth mention it so people are
>> more encouraged to test it in Fedora before its getting to RHEL 7.4
> I think we should actually add an explicit statement for trust to AD not
> currently supporting FIPS 140-2 mode.
>
I will add it to known issues



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Martin Basti 


On 14.03.2017 14:56, Luc de Louw wrote:
> My 3 cents...
>
> "Please note that FIPS 140-2 support may not work on some platforms"
>
> -> Does is work in Fedora? Should be worth mention it so people are
> more encouraged to test it in Fedora before its getting to RHEL 7.4
>
> Thanks,
>
> Luc

We cannot guarantee that FIPS mode will work with fedora, any package
update may break it.

>
>
>
> On 03/14/2017 02:50 PM, Jakub Hrozek wrote:
>> On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote:
>>> Hello,
>>>
>>> DRAFT for FreeIPA 4.5.0 release notes is ready
>>> http://www.freeipa.org/page/Releases/4.5.0
>>>
>>> Please update/let me know what is missing, what is extra.
>>
>> Please update this paragraph:
>> 
>> AD User Short Names
>>
>> Support for AD users short names has been added. Short
>> names can be enabled from CLI by setting ipa config-mod
>> --domain-resolution-order="domain.test:ad.domain1.test:ad.domain2.test"
>> or from WebUI under Configuration tab. No manual configuration on SSSD
>> side is required.
>> 
>>
>> With a note that this feature is not supported by SSSD yet and the work
>> is tracked with https://pagure.io/SSSD/sssd/issue/3210
>>
>




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

dkupka commented:
"""
master:

* 75c592d3b9081474cae51c929e6af29c7a0eebb6 Support certificate login after 
installation and upgrade
* 585547ee9478ea0173106d88d40d7807baab8bcf WebUI: add link to login page which 
for login using certificate
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/559#issuecomment-286433787
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][+pushed] WebUI: Certificate login

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][closed] WebUI: Certificate login

2017-03-14 Thread dkupka 
   URL: https://github.com/freeipa/freeipa/pull/559
Author: pvomacka
 Title: #559: WebUI: Certificate login
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/559/head:pr559
git checkout pr559
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#559][+ack] WebUI: Certificate login

2017-03-14 Thread dkupka 
  URL: https://github.com/freeipa/freeipa/pull/559
Title: #559: WebUI: Certificate login

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

  1   2   >